Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cf4c6141e55e4604763d06fe39eb794cb53a711d4fc4350bfaf1b6dc27e7f21f.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
cf4c6141e55e4604763d06fe39eb794cb53a711d4fc4350bfaf1b6dc27e7f21f.exe
-
Size
454KB
-
MD5
f7bcb760b7a13f8ce99619ccd1970e62
-
SHA1
f779eea2724b76cf2257a3444725125805f74659
-
SHA256
cf4c6141e55e4604763d06fe39eb794cb53a711d4fc4350bfaf1b6dc27e7f21f
-
SHA512
8b3a6cd420217e1348ce440e69fd9e2e5e6502b28877668028f5d4fbce09eb792629c1f1a246018e122c518dc6ec45961d73704b635ae4d02a3a6b633a6ee7a7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2084-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-38-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/3004-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-48-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2352-68-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1880-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-99-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2420-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1888-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1332-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-130-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1104-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-191-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2504-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/912-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1728-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-256-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1708-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-376-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1896-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-384-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1900-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/696-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-477-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1792-508-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1364-541-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1588-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-657-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2164-665-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1104-718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-726-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/884-845-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2084-856-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-863-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-937-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2776 7nnnhb.exe 2668 7pjvd.exe 2656 ddjvj.exe 3004 xxlxrxx.exe 2532 flxxllr.exe 2352 xxxlfll.exe 1880 vdjvp.exe 1888 rrrxrxl.exe 2420 pvjvv.exe 2128 ffxfxfr.exe 376 rlflxfr.exe 1332 bbtnbn.exe 1776 flrxrrf.exe 1104 bhhthn.exe 580 1rxfxfx.exe 2884 9xrxxfx.exe 2516 pppdp.exe 604 rllrflx.exe 3024 3jjpv.exe 2464 flfrfrl.exe 2136 vddvd.exe 2504 jjddv.exe 912 jjpdp.exe 2608 xrrlxfx.exe 2064 9dvjj.exe 1728 7xffflf.exe 1604 ppjvj.exe 1708 fffrlrx.exe 2208 rrrfrlx.exe 2948 nnbhnb.exe 1032 9pppd.exe 2160 xffrrrl.exe 2644 djjvj.exe 2204 lfxfxfr.exe 1688 7nhbhn.exe 2824 jdppv.exe 2656 3llxlrf.exe 2852 nnhbth.exe 2528 htthhb.exe 2536 dvpdj.exe 2496 3lllfrf.exe 2428 bhnnbh.exe 1880 1vdjj.exe 1896 7rxlflf.exe 1900 5thhtt.exe 1812 nbbtht.exe 1500 jdppv.exe 1844 fffrlrf.exe 896 bhnbhb.exe 2828 3vjpv.exe 2720 3xrfrxf.exe 2108 3thntb.exe 696 tnnthh.exe 580 xfrfxxr.exe 2748 ntnnnn.exe 2152 9tthnb.exe 3060 1vpvp.exe 916 fllxlxl.exe 1800 3nthth.exe 2112 dvddd.exe 1948 rfllffl.exe 2492 1hthnn.exe 1792 vjdpv.exe 860 3rxlflx.exe -
resource yara_rule behavioral1/memory/2084-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1880-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1332-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1104-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/912-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1896-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1104-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-798-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-816-0x00000000003D0000-0x00000000003FA000-memory.dmp upx behavioral1/memory/2084-856-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-863-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-937-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-944-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfffrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttntnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2084 wrote to memory of 2776 2084 cf4c6141e55e4604763d06fe39eb794cb53a711d4fc4350bfaf1b6dc27e7f21f.exe 31 PID 2084 wrote to memory of 2776 2084 cf4c6141e55e4604763d06fe39eb794cb53a711d4fc4350bfaf1b6dc27e7f21f.exe 31 PID 2084 wrote to memory of 2776 2084 cf4c6141e55e4604763d06fe39eb794cb53a711d4fc4350bfaf1b6dc27e7f21f.exe 31 PID 2084 wrote to memory of 2776 2084 cf4c6141e55e4604763d06fe39eb794cb53a711d4fc4350bfaf1b6dc27e7f21f.exe 31 PID 2776 wrote to memory of 2668 2776 7nnnhb.exe 32 PID 2776 wrote to memory of 2668 2776 7nnnhb.exe 32 PID 2776 wrote to memory of 2668 2776 7nnnhb.exe 32 PID 2776 wrote to memory of 2668 2776 7nnnhb.exe 32 PID 2668 wrote to memory of 2656 2668 7pjvd.exe 33 PID 2668 wrote to memory of 2656 2668 7pjvd.exe 33 PID 2668 wrote to memory of 2656 2668 7pjvd.exe 33 PID 2668 wrote to memory of 2656 2668 7pjvd.exe 33 PID 2656 wrote to memory of 3004 2656 ddjvj.exe 34 PID 2656 wrote to memory of 3004 2656 ddjvj.exe 34 PID 2656 wrote to memory of 3004 2656 ddjvj.exe 34 PID 2656 wrote to memory of 3004 2656 ddjvj.exe 34 PID 3004 wrote to memory of 2532 3004 xxlxrxx.exe 35 PID 3004 wrote to memory of 2532 3004 xxlxrxx.exe 35 PID 3004 wrote to memory of 2532 3004 xxlxrxx.exe 35 PID 3004 wrote to memory of 2532 3004 xxlxrxx.exe 35 PID 2532 wrote to memory of 2352 2532 flxxllr.exe 36 PID 2532 wrote to memory of 2352 2532 flxxllr.exe 36 PID 2532 wrote to memory of 2352 2532 flxxllr.exe 36 PID 2532 wrote to memory of 2352 2532 flxxllr.exe 36 PID 2352 wrote to memory of 1880 2352 xxxlfll.exe 37 PID 2352 wrote to memory of 1880 2352 xxxlfll.exe 37 PID 2352 wrote to memory of 1880 2352 xxxlfll.exe 37 PID 2352 wrote to memory of 1880 2352 xxxlfll.exe 37 PID 1880 wrote to memory of 1888 1880 vdjvp.exe 38 PID 1880 wrote to memory of 1888 1880 vdjvp.exe 38 PID 1880 wrote to memory of 1888 1880 vdjvp.exe 38 PID 1880 wrote to memory of 1888 1880 vdjvp.exe 38 PID 1888 wrote to memory of 2420 1888 rrrxrxl.exe 39 PID 1888 wrote to memory of 2420 1888 rrrxrxl.exe 39 PID 1888 wrote to memory of 2420 1888 rrrxrxl.exe 39 PID 1888 wrote to memory of 2420 1888 rrrxrxl.exe 39 PID 2420 wrote to memory of 2128 2420 pvjvv.exe 40 PID 2420 wrote to memory of 2128 2420 pvjvv.exe 40 PID 2420 wrote to memory of 2128 2420 pvjvv.exe 40 PID 2420 wrote to memory of 2128 2420 pvjvv.exe 40 PID 2128 wrote to memory of 376 2128 ffxfxfr.exe 41 PID 2128 wrote to memory of 376 2128 ffxfxfr.exe 41 PID 2128 wrote to memory of 376 2128 ffxfxfr.exe 41 PID 2128 wrote to memory of 376 2128 ffxfxfr.exe 41 PID 376 wrote to memory of 1332 376 rlflxfr.exe 42 PID 376 wrote to memory of 1332 376 rlflxfr.exe 42 PID 376 wrote to memory of 1332 376 rlflxfr.exe 42 PID 376 wrote to memory of 1332 376 rlflxfr.exe 42 PID 1332 wrote to memory of 1776 1332 bbtnbn.exe 43 PID 1332 wrote to memory of 1776 1332 bbtnbn.exe 43 PID 1332 wrote to memory of 1776 1332 bbtnbn.exe 43 PID 1332 wrote to memory of 1776 1332 bbtnbn.exe 43 PID 1776 wrote to memory of 1104 1776 flrxrrf.exe 44 PID 1776 wrote to memory of 1104 1776 flrxrrf.exe 44 PID 1776 wrote to memory of 1104 1776 flrxrrf.exe 44 PID 1776 wrote to memory of 1104 1776 flrxrrf.exe 44 PID 1104 wrote to memory of 580 1104 bhhthn.exe 45 PID 1104 wrote to memory of 580 1104 bhhthn.exe 45 PID 1104 wrote to memory of 580 1104 bhhthn.exe 45 PID 1104 wrote to memory of 580 1104 bhhthn.exe 45 PID 580 wrote to memory of 2884 580 1rxfxfx.exe 46 PID 580 wrote to memory of 2884 580 1rxfxfx.exe 46 PID 580 wrote to memory of 2884 580 1rxfxfx.exe 46 PID 580 wrote to memory of 2884 580 1rxfxfx.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf4c6141e55e4604763d06fe39eb794cb53a711d4fc4350bfaf1b6dc27e7f21f.exe"C:\Users\Admin\AppData\Local\Temp\cf4c6141e55e4604763d06fe39eb794cb53a711d4fc4350bfaf1b6dc27e7f21f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\7nnnhb.exec:\7nnnhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\7pjvd.exec:\7pjvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\ddjvj.exec:\ddjvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\xxlxrxx.exec:\xxlxrxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\flxxllr.exec:\flxxllr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\xxxlfll.exec:\xxxlfll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\vdjvp.exec:\vdjvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\rrrxrxl.exec:\rrrxrxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\pvjvv.exec:\pvjvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\ffxfxfr.exec:\ffxfxfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\rlflxfr.exec:\rlflxfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
\??\c:\bbtnbn.exec:\bbtnbn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\flrxrrf.exec:\flrxrrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\bhhthn.exec:\bhhthn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\1rxfxfx.exec:\1rxfxfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:580 -
\??\c:\9xrxxfx.exec:\9xrxxfx.exe17⤵
- Executes dropped EXE
PID:2884 -
\??\c:\pppdp.exec:\pppdp.exe18⤵
- Executes dropped EXE
PID:2516 -
\??\c:\rllrflx.exec:\rllrflx.exe19⤵
- Executes dropped EXE
PID:604 -
\??\c:\3jjpv.exec:\3jjpv.exe20⤵
- Executes dropped EXE
PID:3024 -
\??\c:\flfrfrl.exec:\flfrfrl.exe21⤵
- Executes dropped EXE
PID:2464 -
\??\c:\vddvd.exec:\vddvd.exe22⤵
- Executes dropped EXE
PID:2136 -
\??\c:\jjddv.exec:\jjddv.exe23⤵
- Executes dropped EXE
PID:2504 -
\??\c:\jjpdp.exec:\jjpdp.exe24⤵
- Executes dropped EXE
PID:912 -
\??\c:\xrrlxfx.exec:\xrrlxfx.exe25⤵
- Executes dropped EXE
PID:2608 -
\??\c:\9dvjj.exec:\9dvjj.exe26⤵
- Executes dropped EXE
PID:2064 -
\??\c:\7xffflf.exec:\7xffflf.exe27⤵
- Executes dropped EXE
PID:1728 -
\??\c:\ppjvj.exec:\ppjvj.exe28⤵
- Executes dropped EXE
PID:1604 -
\??\c:\fffrlrx.exec:\fffrlrx.exe29⤵
- Executes dropped EXE
PID:1708 -
\??\c:\rrrfrlx.exec:\rrrfrlx.exe30⤵
- Executes dropped EXE
PID:2208 -
\??\c:\nnbhnb.exec:\nnbhnb.exe31⤵
- Executes dropped EXE
PID:2948 -
\??\c:\9pppd.exec:\9pppd.exe32⤵
- Executes dropped EXE
PID:1032 -
\??\c:\xffrrrl.exec:\xffrrrl.exe33⤵
- Executes dropped EXE
PID:2160 -
\??\c:\djjvj.exec:\djjvj.exe34⤵
- Executes dropped EXE
PID:2644 -
\??\c:\lfxfxfr.exec:\lfxfxfr.exe35⤵
- Executes dropped EXE
PID:2204 -
\??\c:\7nhbhn.exec:\7nhbhn.exe36⤵
- Executes dropped EXE
PID:1688 -
\??\c:\jdppv.exec:\jdppv.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2824 -
\??\c:\3llxlrf.exec:\3llxlrf.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2656 -
\??\c:\nnhbth.exec:\nnhbth.exe39⤵
- Executes dropped EXE
PID:2852 -
\??\c:\htthhb.exec:\htthhb.exe40⤵
- Executes dropped EXE
PID:2528 -
\??\c:\dvpdj.exec:\dvpdj.exe41⤵
- Executes dropped EXE
PID:2536 -
\??\c:\3lllfrf.exec:\3lllfrf.exe42⤵
- Executes dropped EXE
PID:2496 -
\??\c:\bhnnbh.exec:\bhnnbh.exe43⤵
- Executes dropped EXE
PID:2428 -
\??\c:\1vdjj.exec:\1vdjj.exe44⤵
- Executes dropped EXE
PID:1880 -
\??\c:\7rxlflf.exec:\7rxlflf.exe45⤵
- Executes dropped EXE
PID:1896 -
\??\c:\5thhtt.exec:\5thhtt.exe46⤵
- Executes dropped EXE
PID:1900 -
\??\c:\nbbtht.exec:\nbbtht.exe47⤵
- Executes dropped EXE
PID:1812 -
\??\c:\jdppv.exec:\jdppv.exe48⤵
- Executes dropped EXE
PID:1500 -
\??\c:\fffrlrf.exec:\fffrlrf.exe49⤵
- Executes dropped EXE
PID:1844 -
\??\c:\bhnbhb.exec:\bhnbhb.exe50⤵
- Executes dropped EXE
PID:896 -
\??\c:\3vjpv.exec:\3vjpv.exe51⤵
- Executes dropped EXE
PID:2828 -
\??\c:\3xrfrxf.exec:\3xrfrxf.exe52⤵
- Executes dropped EXE
PID:2720 -
\??\c:\3thntb.exec:\3thntb.exe53⤵
- Executes dropped EXE
PID:2108 -
\??\c:\tnnthh.exec:\tnnthh.exe54⤵
- Executes dropped EXE
PID:696 -
\??\c:\xfrfxxr.exec:\xfrfxxr.exe55⤵
- Executes dropped EXE
PID:580 -
\??\c:\ntnnnn.exec:\ntnnnn.exe56⤵
- Executes dropped EXE
PID:2748 -
\??\c:\9tthnb.exec:\9tthnb.exe57⤵
- Executes dropped EXE
PID:2152 -
\??\c:\1vpvp.exec:\1vpvp.exe58⤵
- Executes dropped EXE
PID:3060 -
\??\c:\fllxlxl.exec:\fllxlxl.exe59⤵
- Executes dropped EXE
PID:916 -
\??\c:\3nthth.exec:\3nthth.exe60⤵
- Executes dropped EXE
PID:1800 -
\??\c:\dvddd.exec:\dvddd.exe61⤵
- Executes dropped EXE
PID:2112 -
\??\c:\rfllffl.exec:\rfllffl.exe62⤵
- Executes dropped EXE
PID:1948 -
\??\c:\1hthnn.exec:\1hthnn.exe63⤵
- Executes dropped EXE
PID:2492 -
\??\c:\vjdpv.exec:\vjdpv.exe64⤵
- Executes dropped EXE
PID:1792 -
\??\c:\3rxlflx.exec:\3rxlflx.exe65⤵
- Executes dropped EXE
PID:860 -
\??\c:\3btbhn.exec:\3btbhn.exe66⤵PID:1364
-
\??\c:\ttthbn.exec:\ttthbn.exe67⤵PID:780
-
\??\c:\pppvj.exec:\pppvj.exe68⤵PID:2268
-
\??\c:\fxlfllx.exec:\fxlfllx.exe69⤵PID:1728
-
\??\c:\tntnbb.exec:\tntnbb.exe70⤵PID:2508
-
\??\c:\tnbnnt.exec:\tnbnnt.exe71⤵PID:1640
-
\??\c:\jjvjd.exec:\jjvjd.exe72⤵PID:2156
-
\??\c:\7llrxlr.exec:\7llrxlr.exe73⤵PID:1816
-
\??\c:\nhbnbh.exec:\nhbnbh.exe74⤵PID:1588
-
\??\c:\3pjvd.exec:\3pjvd.exe75⤵PID:2780
-
\??\c:\1lflrxf.exec:\1lflrxf.exe76⤵PID:2888
-
\??\c:\llfxfll.exec:\llfxfll.exe77⤵PID:2764
-
\??\c:\3bbhtb.exec:\3bbhtb.exe78⤵PID:1580
-
\??\c:\jpjpj.exec:\jpjpj.exe79⤵PID:3048
-
\??\c:\lffllxr.exec:\lffllxr.exe80⤵PID:2752
-
\??\c:\hhnnbh.exec:\hhnnbh.exe81⤵PID:2708
-
\??\c:\jjjvd.exec:\jjjvd.exe82⤵PID:2716
-
\??\c:\dvjpv.exec:\dvjpv.exe83⤵PID:2732
-
\??\c:\5fxxffr.exec:\5fxxffr.exe84⤵PID:2964
-
\??\c:\7hntnt.exec:\7hntnt.exe85⤵PID:2352
-
\??\c:\1ppjj.exec:\1ppjj.exe86⤵PID:2496
-
\??\c:\xllxxfx.exec:\xllxxfx.exe87⤵PID:2968
-
\??\c:\btnhnt.exec:\btnhnt.exe88⤵PID:2164
-
\??\c:\tbbtht.exec:\tbbtht.exe89⤵PID:2396
-
\??\c:\jdvdp.exec:\jdvdp.exe90⤵PID:1904
-
\??\c:\9frrfrr.exec:\9frrfrr.exe91⤵PID:1268
-
\??\c:\5nhhbt.exec:\5nhhbt.exe92⤵PID:1860
-
\??\c:\vvvdp.exec:\vvvdp.exe93⤵PID:2596
-
\??\c:\frrrrxl.exec:\frrrrxl.exe94⤵PID:2860
-
\??\c:\xflxlfr.exec:\xflxlfr.exe95⤵PID:796
-
\??\c:\tnbhhh.exec:\tnbhhh.exe96⤵PID:1104
-
\??\c:\jvpvd.exec:\jvpvd.exe97⤵PID:2896
-
\??\c:\3rfrfxx.exec:\3rfrfxx.exe98⤵PID:2900
-
\??\c:\1nhhbh.exec:\1nhhbh.exe99⤵PID:2088
-
\??\c:\nnttth.exec:\nnttth.exe100⤵PID:3020
-
\??\c:\dddpp.exec:\dddpp.exe101⤵PID:604
-
\??\c:\rlffllf.exec:\rlffllf.exe102⤵PID:448
-
\??\c:\llflllr.exec:\llflllr.exe103⤵PID:1680
-
\??\c:\dvjpv.exec:\dvjpv.exe104⤵PID:2008
-
\??\c:\1bthtt.exec:\1bthtt.exe105⤵PID:2140
-
\??\c:\nhbbnn.exec:\nhbbnn.exe106⤵PID:2488
-
\??\c:\jdvvj.exec:\jdvvj.exe107⤵PID:2484
-
\??\c:\hbntbh.exec:\hbntbh.exe108⤵PID:2992
-
\??\c:\3ddpv.exec:\3ddpv.exe109⤵PID:1648
-
\??\c:\xrrrxfr.exec:\xrrrxfr.exe110⤵PID:1724
-
\??\c:\nhbbnt.exec:\nhbbnt.exe111⤵PID:1716
-
\??\c:\pvvpj.exec:\pvvpj.exe112⤵PID:320
-
\??\c:\dvpdp.exec:\dvpdp.exe113⤵PID:560
-
\??\c:\lfxflrl.exec:\lfxflrl.exe114⤵PID:2880
-
\??\c:\tnhhtb.exec:\tnhhtb.exe115⤵PID:2460
-
\??\c:\7pjvp.exec:\7pjvp.exe116⤵PID:884
-
\??\c:\vpjpd.exec:\vpjpd.exe117⤵PID:2144
-
\??\c:\lxxlfrr.exec:\lxxlfrr.exe118⤵PID:2084
-
\??\c:\1nbhnb.exec:\1nbhnb.exe119⤵PID:2664
-
\??\c:\ppdjv.exec:\ppdjv.exe120⤵PID:2644
-
\??\c:\xxllffx.exec:\xxllffx.exe121⤵PID:2800
-
\??\c:\xlllxxr.exec:\xlllxxr.exe122⤵PID:2568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-